My home PC is usually on, but the monitor is off. This evening I came home from work and found what looks like a hack attempt: in my browser, my Gmail was open (that was me), but it was in compose mode with the following in the TO field:

This looks like Windows command line code to me, and the md start of the code combined with the fact that Gmail was in compose mode, makes it evident that someone tried to run a cmd command. I'm guess I was lucky that I don't in fact run Windows on this PC, but I have others that do. This is the first time ever that something like this has happened to me. I'm not a Linux guru, and I wasn't running any other programs apart from Firefox at the time.

I'm absolutely sure that I didn't write this, and nobody else was physically at my computer. Also, I have recently changed my Google password (and all my other passwords) to something like vMA8ogd7bv so I don't think that someone hacked my Google account.

What did just happen? How does someone put keystrokes on my computer when it's not granny's old Windows machine that has been running malware for years, but a recent new Ubuntu install?

Update:
Let me address some of the points and questions:

I'm in Austria, in the countryside. My WLAN router runs WPA2/PSK and a medium-strong password that's not in the dictionary; would have to be brute-force and less than 50 meters from here; it's not likely that it got hacked.

I'm using a USB wired keyboard, so again very unlikely that anybody could be within range to hack it.

I wasn't using my computer at the time; it was just idling at home while I was at work. It's a monitor-mounted nettop PC, so I rarely turn it off.

The machine is only two months old, only runs Ubuntu, and I'm not using weird software or visiting weird sites. It's mainly Stack Exchange, Gmail, and newspapers. No games. Ubuntu is set to keep itself up to date.

I'm not aware of any VNC service running; I certainly haven't installed or enabled one. I've also not started any other servers. I'm unsure if any are running in Ubuntu by default?

What I really want to know is, and what really makes me feel unsafe, is: how can anyone from the Internet generate keystrokes on my machine? How can I prevent that without being all tinfoil-hat about it? I'm not a Linux geek, I'm a father who's messed with Windows for 20+ years and am tired of it. And in all the 18+ years of being online, I've never personally seen any hack attempt, so this is new to me.

Did anyone else have access to your computer, or do you have a very old wireless keyboard? Also, Ubuntu has a built-in VNC server. If that's active, a random script somewhere could have connected and assumed it was a windows computer, sending the keystrokes WIN+R, cmd......
–
TuxRugApr 20 '11 at 19:32

Are there any other computers on your wireless network? If the intruder broke their security it would give him an "in" to your local network, which could lead to cracking the Ubuntu box in various ways.
–
CarlFApr 20 '11 at 20:28

3

@muntoo ... and 'm sure you haven't written that down anywhere and don't use any app to manage them either, right? Let's not begin password-bashing; at least my password isn't password :-)
–
Torben Gundtofte-BruunApr 21 '11 at 8:39

5 Answers
5

I doubt you have anything to worry about it was more than likely a javascript attack that tried to do a drive by download. If you are concerned about this happening start using NoScript and AdBlock Plus Firefox Add-Ons.

Even visiting trustworthy sites you are not safe because they run javascript from 3rd party advertisers that can be malicious.

It is an automated attack that is trying to get you to download mIRC and join a botnet that will turn you into a spambot... it had my VM join and make a connection to a number of different remote addresses one of which is autoemail-119.west320.com

Running it in Windows 7 I had to accept the UAC prompt and allow it access through the Firewall.

There seems to be tons of reports of this exact command on other forums someone even says that a torrent file tried to execute it when it was finished downloading... not sure how that would be possible though.

I agree with @jb48394 that it's probably a JavaScript exploit, like everything else these days.

The fact that it tried to open a cmd window (see @torbengb's comment) and run a malicious command, rather than just downloading the trojan discreetly in the background, suggests that it exploits some vulnerability in Firefox which allows it to enter key-strokes, but not run code.

This also explains why this exploit, which was clearly written exclusively for Windows, would also work in Linux: Firefox runs JavaScript the same way in all OS'es(at least, it tries to :) ). If it were caused by a buffer-overflow or similar exploit meant for Windows, it would have just crashed the program.

As for where the JavaScript code came from - probably a malicious Google advert (ads cycle in Gmail throughout the day). It wouldn'tbethefirsttime.

FYI for skimmers, that last "link" is actually five separate links.
–
Pops♦Apr 21 '11 at 18:50

It would be quite shocking if it's really a Javascript exploit as my Firefox normally stays opened for days. However, you need to call special API to send keys to another system under Windows and probably a different system call (if exists) under Linux. Since sending keystrokes is not a normal Javascript operation, I doubt Firefox would implement a cross-platform call for that.
–
billc.cnJul 21 '11 at 20:53

This doesn't answer your whole question, but in the log file look for failed logon attempts.

If there are more than about five failed attempts in your log, then somebody tried to crack root. If there is a successful attempt to logon to root while you were away from your computer, CHANGE YOUR PASSWORD IMMEDIATELY!! I mean RIGHT NOW! Preferably to something alphanumeric, and about 10 chars long.

With the messages that you got (the echo commands) this really sounds like some immature script kiddie. If it was a real hacker who know what he was doing, you probably still would not know about it.

I agree this was evidently very amateurish. At least they shouldn't have put echo you've been owned at the end. Makes me wonder if any "real hackers" ever got through? Or indeed I shoul perhaps be asking, how many?
–
Torben Gundtofte-BruunApr 21 '11 at 8:43

1

@torgengb: if the command were run in a windows command prompt, you wouldn't see the echo (because of the &exit)
–
BlueRajaApr 25 '11 at 19:08

DEF CON has a Wi-Fi competition each year as to how far away a Wi-Fi access point can be reached - the last I heard it was 250 miles.

If you really want to be scared, look at the screenshots of a command-n-control center of a Zeus botnet. No machine is safe, but Firefox on Linux is safer than the rest. Even better, if you run SELinux.

The author of this exploit clearly had no intention of running this on Linux, so I doubt it had anything to do with a vulnerable gnome utility or a weak password (also, OP already mentioned he has a secure password)
–
BlueRajaApr 20 '11 at 22:11

Actually, he does not mention having an Ubuntu password, just a gmail and wireless passphrase. A kid running metasploit may not even know about Linux, he just sees VNC. It is most likely a javascript attack.
–
rjtJun 17 '12 at 4:21